Description of problem: The manpage for request-key.conf(5) states: <op> <type> <description> <callout-info> <prog> <arg1> <arg2> ... The first four fields are used to match the parameters passed to request-key by the kernel. op is the operation type; currently the only supported operation is "create". type, description and callout-info match the three parameters passed to keyctl request2 or the request_key() system call. Each of these may contain one or more asterisk '*' characters as wildcards anywhere within the string. However the code in keyutils.c states that only one asterisk is allowed in the entire pattern: /*****************************************************************************/ /* * attempt to match a datum to a pattern * - one asterisk is allowed anywhere in the pattern to indicate a wildcard * - returns true if matched, false if not */ static int match(const char *pattern, int plen, const char *datum, int dlen) Multiple wildcards are necessary in some cases where multiple dynamic fields exist, for example with cifs.spnego: ver=0x2;host=SERVER_HOSTNAME;ip4=SERVER_IP;sec=krb5;uid=0x0;creduid=0x0;user=USERNAME;pid=PID Version-Release number of selected component (if applicable): keyutils-1.5.10-9.el8.x86_64 How reproducible: easy Steps to Reproduce: Attempt to match with multiple asterisks in the relevant request-key file: /etc/request-key.d/cifs.spnego.conf create cifs.spnego ver=*;host=*;ip4=*;sec=krb5;uid=0x0;creduid=0x0;user=MYUSER1@*,pid=* /usr/sbin/cifs.upcall -t /path/to/MYUSER1.keytab %k create cifs.spnego ver=*;host=*;ip4=*;sec=krb5;uid=0x0;creduid=0x0;user=MYUSER2@*,pid=* /usr/sbin/cifs.upcall -t /path/to/MYUSER2.keytab %k attempt to mount a cifs share using krb5 (it is not necessary to actually have cifs+kerberos set up correctly): # mount //server/share /mnt/tmp -o sec=krb5,user=MYUSER1 # mount //server/share /mnt/tmp -o sec=krb5,user=MYUSER2 Actual results: strings with multiple wildcards will not match Expected results: multiple wildcards are accepted, and work as described in the manpage Additional info:
Note: when I said it is not necessary to have cifs+kerberos set up, I meant simply in order to test the matching; either recompiling request-key with debugging enabled or replacing the cifs.upcall with a script that logs its execution would work to verify that the matching is working as expected